Part two of Qrypt’s “Quantum-Security Essentials” series of articles.
In our Quantum-Security Essentials series, we demystify the integral aspects of quantum security. In our previous post, we explored the basics of quantum cryptography, differentiating between quantum-safe and quantum-secure solutions, emphasizing the need for the latter in the face of an imminent quantum computing revolution. Now, we turn our focus to the tools making quantum-secure solutions possible. In the first post, we introduced quantum cryptography, highlighted the crucial difference between quantum-safe and quantum-secure solutions, and emphasized the importance of adopting quantum-secure solutions in today’s rapidly evolving digital landscape. This second post dives deeper into the fundamental tools that underpin quantum security, specifically focusing on Quantum Random Number Generation (QRNG) and Quantum-Secure Key Generation (QKG).
II. Quantum Random Number Generation
A cornerstone of any cryptographic system is random number generation. The randomness and unpredictability of these numbers underpin the security of cryptographic keys, making it critical for the numbers to be truly random. Quantum Random Number Generation (QRNG), a cornerstone of quantum security, fulfills this requirement by harnessing quantum mechanics, a realm where unpredictability and randomness are innate. This is the only known source of true randomness according to current scientific understanding.
In QRNGs, random numbers are generated by measuring quantum phenomena, the outcome of specially prepared quantum experiments, such as a radioactive atom’s decay or a photon’s polarization. The output of these quantum processes are fundamentally random, making it impossible to predict their outcomes even with perfect knowledge of their state. This randomness is vital to ensuring the security of cryptographic keys, which depend on the unpredictability of these random numbers.
Contrarily, traditional random number generators, often used in cryptographic systems, are not truly random. These generators, also known as pseudorandom number generators (PRNGs), use algorithms to produce sequences of numbers that appear random. PRNGs start from an initial value called a seed. From this seed, they generate a sequence of numbers that, while appearing random, is entirely deterministic and repeatable given the same seed. This is insufficient for secure encryption keys, which require true randomness to avoid predictability and potential cryptographic breakage.
Furthermore, even so-called ‘random’ numbers generated from physical processes such as atmospheric noise, mouse movements, or hardware interruptions, while more random than PRNGs, still contain some degree of predictability, as these physical processes themselves have deterministic components. This predictability can be exploited in what’s known as a side-channel attack, wherein an attacker gains information about the encryption key by analyzing patterns in these ‘random’ numbers. This is another reason why the true randomness provided by QRNG is essential for cryptographic security and for any application where pure unpredictability is required, like Monte Carlo simulations or lottery drawings.
Returning to quantum random sources and measurements, not all sources and measurements are equal! The first point is that statistical tests cannot prove a series of numbers is random. They can only strongly imply they are not. Vendors marketing the results of statistical test suite (STS) as proof of randomness are trying to dupe their clients. The National Institute for Science and Technology (NIST) evaluated and now rejects STS use for assessing cryptographic random number generators, but we often see it marketing materials today.
At Qrypt, entropy from each quantum source is validated using theoretical models that explain quantum mechanical behavior described in our patents and papers. As noted, STS testing is not valid to prove an entropy source is random. As such, quantum entropy sources must be characterized from physical analysis of the electronic collection system of the quantum effect under measurement, followed by an estimation of the classical (nonquantum) noise present. Qrypt Quantum Entropy testing involves quantifying min-entropy (maximum extractable randomness) analytically from a probability distribution that explains the quantum measurement. Post-extraction, a uniform probability distribution is generated that is statistically tested using recommended NIST battery of tests. Qrypt will share this information upon request.
III. Quantum Key Distribution and its Limitations
Quantum Key Distribution (QKD), a technique in quantum cryptography, offers a way to exchange encryption keys securely. It uses quantum mechanics to detect any eavesdropping on the key exchange, which is a notable advantage over traditional methods. However, QKD has its limitations.
QKD requires a direct point-to-point connection, which is often impractical in a world interconnected by complex networks. Its performance also decreases over long distances due to quantum signal attenuation. Notably, QKD requires a classical channel to initiate the key distribution process, adding another layer of complexity to its implementation. Furthermore, due to their physical constraints, it cannot directly secure endpoints like mobile phones or IoT devices. These limitations not only restrict the versatility of QKD but also underscore the fact that while it’s a step forward, QKD may not be a comprehensive solution for data security in our modern world, teeming with interconnected devices like mobile phones and IoT gadgets.
The National Security Agency (NSA) of the United States has officially stated, “NSA does not support the usage of QKD or QC to protect communications in National Security Systems.” Their stance underscores the importance of addressing the challenges of quantum security with comprehensive solutions beyond QKD.
Read our earlier blog post Going Beyond the Limitations of Quantum Key Distribution for more details on QKD and its limitations.
IV. Quantum-Secure Key Generation: A Solution
Despite quantum key distribution (QKD) having theoretical merits in quantum cryptography, its limitations make clear the necessity for a tool that can secure diverse applications – from complex networks to mobile devices and IoT endpoints. The solution lies in Quantum Key Generation (QKG), which harnesses true quantum random numbers to address these challenges.
We need to revisit the One-Time Pad (OTP) encryption technique to appreciate Quantum Key Generation’s effectiveness. In OTP, an encryption key identical in size to the data being encrypted is used precisely once. If this key, created using true quantum randomness, is used just once, the encryption becomes computationally unbreakable. This feature provides an enormous advantage over other encryption methods.
Quantum Key Generation enhances OTP. Leveraging quantum randomness enables independent generation of truly random encryption keys (or one-time pads) at multiple endpoints, regardless of the distance. This crucial feature helps mitigate the ‘harvest now, decrypt later’ attack, a primary threat posed by quantum computers.
Two distinct methods deploy Quantum Key Generation to thwart this attack. The first method generates one-time pads for data encryption. Given that OTP provides information-theoretically secure encryption, data sent using these pads are immune to future decryption, even by quantum computers, making the ‘harvest now, decrypt later’ attack fruitless. The second method generates AES keys. Although these keys may not be quantum-secure, they are sent through an OTP-encrypted tunnel, ensuring key safety during transmission and eliminating the risk of interception and subsequent decryption.
Quantum Key Generation’s flexibility is notable. Depending on the use case, it can generate one-time pads for quantum-secure encryption or AES keys for encryption workflows that counteract the ‘harvest now, decrypt later’ attack. One of the strongest selling points of Quantum Key Generation is its ease of integration. It seamlessly fits into existing infrastructures, thereby enhancing their security manifold without necessitating extensive overhauls or expensive modifications. This characteristic makes Quantum Key Generation a practical, cost-effective solution for entities looking to bolster their data security in the quantum age.
In summary, Quantum Key Generation uses quantum randomness to generate secure encryption keys. This powerful technology provides a comprehensive solution for data security, preparing us for the impending quantum computing era.
Understanding Quantum Random Number Generation and Quantum Key Generation is crucial to navigating the evolving landscape of quantum security. While QKD has its merits, it has significant limitations, and a more comprehensive solution like Quantum Key Generation is necessary for the security of complex networks and small endpoints.
As we move further into the quantum age, these tools will become increasingly significant in providing unbreakable encryption and ensuring data remains confidential and secure. The next post will explore the imminent risks posed by ‘harvest now, decrypt later’ attacks and the developing quantum cryptography standards. As we forge ahead into the quantum era, the understanding of Quantum Random Number Generation and Quantum Key Generation becomes crucial in bolstering quantum security and preparing ourselves for the challenges ahead.